How to migrate certbot from server A to sever B with same certificat

Hello,

I plan to stop my web serverA.
I install a new web serverB.

What is the procedure to install certbot and migrate the certificate ?
I plan do do this :

serverB
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

serverA
rsync -az /etc/letsencrypt serveurB:/etc/

Are you agree with me ?

Thank you for your help

Hi,

I personally don’t think it’s a good idea to move folders…

What about just moving your DNS record then reissue certs?

However,
If you are going to move folders, previous posts might help.

Thanks

I use this server for seafile .

if I just move DNS and reissue the certs ,
all my clients have to accept the new cert (about 500 clients …).

I really need to keep exactly the same certs

ok i try to reissue certs following the explanation on the web site
But it doesn’t work .
Any idea ?
On the web site , you announce a new version of certbot in the few days ?

certbot --authenticator webroot --installer apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/000-default.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/seafile.lmgc.univ-montp2.fr/fullchain.pem’ does not exist or is empty

Seems you got a config error in Apache..

Yes it’s because the folder /etc/letsencrypt/live doesn’t exist.

I why I want to move the folder

Why? Let's Encrypt issues certs that are trusted by just about everyone; there shouldn't be any need to manually trust them (unless you're using some off-the-wall custom client app that doesn't do proper certificate validation). And if your clients do need to manually trust your certs each time you get a new one, they'll need to do that every couple of months anyway.

Moving the directory as you're suggesting should work, as long as that rsync command will preserve symbolic links. And I don't see a compelling reason not to, as long as you have a secure (i.e., VPN or other encrypted) connection between the two servers. But there shouldn't be any reason to need to do this.

That's not how this works, or else you'd have issues every two-three months when you renew your certificates.

However, than issue is because you migrated you configuration, but didn't account for the fact that the certificate doesn't exist yet. You would need to fix that configuration (I don't have a suggestion for the best way without seeing full config files) so that Apache can start, then let Let's Encrypt issue a new certificate.

Did you run this with sudo? If not, then it will not have copied all the necessary files.

To do this completely without any permissions issues I usually stage the transfer through my home directory on both sides, e.g.:

ssh oldserver
sudo rsync -av /etc/letsencrypt /home/username
rsync -av /home/username/letsencrypt newserver:/home/username
exit
ssh newserver
sudo rsync -av /home/username/letsencrypt /etc

I can't remember if I had to fix up any file ownership afterwards.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.